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ACCESS CONTROL PROTOCOL BETWEEN AN ELECTRQMIC 
KEY AND AN ELECTRONIC LOCK 

The present invention relates to an access control 
protocol between an electronic key and. an electronic lock 
effecting logical access control . 

Logical control of access to buildings, to premises 
containing data processing systems or systems storing 
assets, fiduciary, technology or information assets, is 
currently of great and increasing interest . 

Access control methods usually employ a portable 
access element functioning as a key, referred to as the 
accessing resource, and an access resource functioning as 
a lock. 

Logical access control between an accessed resource 
functioning as an electronic lock and an accessing 
resource functioning as an electronic key currently 
consists of a succession of operations to verify 
information or messages exchanged between the electronic 
key and the electronic lock. 

One of the main advantages of logical access 
control, compared to conventional physical access control 
of the lock-and-key type, is the facility to allow access 
to an accessed resource only within a predetermined short 
time period. 

However, if the system comprising the accessing 
resource and the accessed resource provides one or 
several accessing resources allowing access to several 
accessed resources through similar logical access 
control, counterfeiting during the validity time period 
of either an electronic key functioning as the accessing 
resource or the access control dialogue between one of 
the electronic keys and one of the access resources 
functioning as an electronic lock can then allow 
illegitimate access to all of the accessed resources . 
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Merely reproducing the logical access control dialogue 
between the accessing resource and one of the accessed 
resources allows such illegitimate access through a 
procedure referred to as "playback" . 

A conventional solution that has been implemented 
with the aim of responding to any such illegitimate use 
applies logical access control based on cryptographic 
mechanisms to limit the period of validity of the right 
of access to a short period, to foil illegitimate use 
outside the validity time period in the event of loss, 
theft or illicit holding of the electronic key. One such 
solution, described in French Patent Application No. 
2 722 596 (94 08770) in the name of FRANCE TELECOM and LA 
POSTE and published 9 January 1996, establishes a digital 
signature of the time period during which access is 
authorised. Access to the accessed resource is 
conditional on verification of the aforementioned digital 
signature within the accessed resource. 

Another conventional solution implemented with the 
same aim, more particularly to respond to playback, uses 
a random variable to introduce a variability or diversity 
characteristic into the access control dialogue between 
the key and the electronic lock. A solution of this kind 
would appear to have limitations because the random 
nature of the random variables obtained by means of the 
usual random or pseudo- random generators is not totally 
satisfactory unless one or more external physical 
variables of a purely random nature are used and because 
non- repetitive production of such random numbers is not 
certain, and will therefore not discourage highly skilled 
hackers who are determined to succeed and who have access 
to powerful computation resources. 

In any event, the aforementioned solutions are 
therefore unable to prevent with certainty either 
illegitimate use of an electronic key or playback during 
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the validity time period of an accessed resource. 

Other solutions have been proposed. Application 
EP-A-727 894 describes a system based on secret key 
cryptography. These systems raise the problem of key 
5 management as key certificates cannot easily be used. 
Patent application EP-A-807 911 describes a system based 
on secret key and public key cryptography using cyphering 
techniques . A public key certificate encyphered by means 
of a secret key is sent. The secret key used is itself 
10 sent encyphered with the public key of the recipient. 

The object of the present invention is to remedy the 
aforementioned drawbacks of prior art solutions . 

An object of this kind is achieved in particular by 
integrating into the logical access dialogue between an 
15 accessing resource and at least one accessed resource a 
process of authentication of the accessing resource by 
the accessed resource and making authorisation or refusal 
of access conditional on a successful outcome of the 
authentication process . 

2 0 Another object of the present invention is 

consequently to use an access control protocol between an 
accessing resource consisting of an electronic key and an 
accessed resource consisting of an electronic lock in 
such a way that the authentication process is conducted 
25 in accordance with a challenge-and-response protocol and, 
in a particularly remarkable manner, the risk of the 
electronic key being compromised is further and 
significantly reduced to that caused by the presence in 
the electronic key of a simple right of access . 

3 0 A final object of the present invention is to 

prevent all risk of picking an electronic lock by 
playback in a given validity time period because of the 
very existence of the authentication process. 

The access control protocol according to the 
35 invention between an electronic key and an electronic 



3 



AMENDED SHEET 



lock performing said access control is remarkable in 
that, following presentation of the electronic key to the 
electronic lock, the protocol consists of transmitting a 
random variable message prompting authentication of the 
5 electronic key from the electronic lock to the electronic 
key. On receiving the random variable message prompting 
authentication, a signature value of the random variable 
message prompting authentication and specific 
authentication data are transmitted from the electronic 
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key to the electronic lock, the signature value 
transmitted being calculated from a private signature key 
and the specific authentication data. After reception by 
the electronic lock of the signature value and the 
specific authentication data, the electronic lock 
verifies the authenticity of the signature value as a 
function of the specific authentication data. In response 
to a positive or negative result of said verification 
access is accepted or respectively refused. 

The access control protocol in accordance with the 
invention between an electronic key and an electronic 
lock can be applied to all types of accessing resource 
and to all types of accessed resource. 

Because the risk of playback is eliminated, 
calculating the signature value of the random variable 
message prompting authentication, making determination of 
that signature improbable in the absence of physical 
possession of the electronic key generating it, the 
protocol according to the present invention would appear 
to be particularly well suited to the secure management 
of a plurality of accessed resources, such as mailboxes, 
or even strongboxes, by means of one or more accessing 
resources, or electronic keys, enabling legitimate access 
to each of the accessed resources, the number of 
electronic keys being very much less than the number of 
mailboxes or strongboxes . 

The invention will be better understood after 
reading the following description and referring to the 
accompanying drawings, in which: 

figure la shows a general block diagram of the 
access control protocol in accordance with the present 
invention between an electronic key and an electronic 
lock; 

figure lb shows a sequential flowchart of the 
succession of steps for implementing the access control 
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protocol in accordance with the present invention between 
an electronic key and an electronic lock; 

figure lc shows a preferred embodiment of a 
signature verification procedure used by an electronic 
5 lock (accessed resource) in accordance with the protocol 
according to the present invention; 

figure Id shows one example of a mode of 
operation for obtaining a random variable message 
providing an authentication process in accordance with 
10 the protocol according to the present invention; 

figure le shows a procedure carried out by an 
electronic key for auxiliary verification of a public key 
enabling the electronic key to perform the random 
variable message signature operation in the context of 
15 the protocol according to the present invention; 

figure If shows one example of a method of 
reducing picking of an electronic lock outside at least 
one validity time period conforming to the protocol 
according to the present invention; 
2 0 - figure lg shows a particularly advantageous 

variant of the auxiliary verification process shown in 
figure le in which, if the electronic key has an internal 
clock, an additional security feature consisting of total 
invalidation of the electronic key is provided for 
25 situations in which access is attempted outside the 
validity time period; 

figure 2a shows a first advantageous variant of 
the protocol according to the present invention which 
avoids storing a second public key in each electronic 
30 lock, which increases the overall security level of the 
system as a whole; 

figure 2b shows a sequential flowchart of the 
steps of the protocol shown in figure 2a,- 

figure 3a shows a block diagram of the 
35 electronic architecture of an electronic key for 
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implementing the access control protocol according to the 
present invention; and 

figure 3b shows a block diagram of the 
electronic architecture of an electronic lock for 
5 implementing the access control protocol according to the 
present invention. 

An access control protocol in accordance with the 
present invention between an electronic key and an 
electronic lock providing logical access control will now 
10 be described in more detail with reference to figures la 
and lb. 

The access control protocol according to the present 
invention consists of a logical access control dialogue 
between the electronic key and at least one electronic 

15 lock, this logical access control incorporating a process 
of authentication of the electronic key by the electronic 
lock in order to authorise or refuse access . The 
authentication process uses message and/or data signature 
calculation and signature verification operations 

20 verifying the authenticity of the aforementioned messages 
or data. 

By way of non-limiting example, the signature 
calculation operations followed by the signature 
verification operations included in the protocol 

2 5 according to the present invention can be based either on 

a secret key signature algorithm or on a public key 
algorithm using a private signature key associated with a 
public signature verification key. 

The signature calculation and signature verification 

3 0 operations for implementing the access control method 

according to the present invention are described 
hereinafter in connection with one non- limiting preferred 
embodiment of the invention using an encryption or 
signature algorithm employing at least one public key and 
3 5 one private key, the algorithm being the RSA algorithm 
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developed by RIVEST, SHAMIR and ADLEMAN, for example. 
Other public key algorithms can be used without 
disadvantage . 

Employing the usual terminology, in the context of 
the signature calculation and signature verification 
processes, if a public key algorithm is used, any 
signature key is a private key, which must be kept 
secret, whereas any signature verification key is a 
public key, which can be divulged. However, if a secret 
key algorithm is used and the secret key can be used as 
an encryption key to carry out a signature operation, a 
key of this kind and the signature verification key must 
be secret keys . 

By convention, for any private key used to calculate 
a signature, the notation used for the calculation of the 
signature obtained by application of the private key K s by 
the signature algorithm used, i.e. the RSA algorithm in 
the context of this example, is: 

Likewise, the notation used for any signature 
verification operation effected by applying the public 
key K p associated with the private key Kg to the 
aforementioned signatures or signed messages X,Y,Z, the 
signature being a digital message, is: 

v KP (X,Y,Z) 

In any signature calculation operation, respectively 
signature verification operation, A,B,C, respectively 
X,Y,Z, designates the arguments subjected to the 
signature operation, respectively signature verification 
operation, these arguments consisting of messages or 
data, of course, as previously mentioned. 

By definition, the verification operation using the 
public key K p applied to a signature obtained by means of 
a private key K s applied to an argument A and taking A as 
an input parameter produces a Yes/No verification 
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response. This verification is written: 
- v KP (S KS (A) ,A) = Yes/No. 

If message re-establishing algorithms are used for 
the signature and signature verification operations, such 
as the RSA algorithm, a verified value VA of the argument 
A is obtained, and is supposedly equal to the argument A 
itself, of course. 

To be more specific, to enable the use of the access 
control protocol according to the present invention, the 
electronic key and the electronic lock are each provided 
with modules Ca k and Cai for calculating and memorising 
data, to enable storage in memory of any message 
necessary for the identification process, calculation of 
the signatures and verification of the signatures to 
enable use of the authentication process. The suffixes k 
and i represent a physical reference or address allocated 
to an electronic key and to an electronic lock, 
respectively. 

In figure la and the subsequent figures, an 
electronic key EK kj is used to implement the access 
control protocol according to the invention. The suffix k 
corresponds to a serial number or identifying number of 
the electronic key itself. The suffix j corresponds to a 
validation operation reference or address for the 
electronic key EK kj , as described in more detail later. 
Each electronic key EK kj is therefore provided with a 
calculation module Ca k and a message transmission module 
T k , represented by a wire antenna connected to the 
calculation unit Ca k , the wire antenna enabling 
transmission of messages by electromagnetic means, for 
example . 

The same applies to each electronic lock. Figure la 
shows a set of electronic locks B x , B ± to B N , each 
electronic lock Bi having a calculation and memory module 
Cai and a transmission module Ti represented by a wire 
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antenna and enabling electromagnetic transmission and 
reception of messages or data, for example. 

In the event of an attempt to access a lock B ± using 
a key EK kj , the respective wire antennas T k and T ± are 
5 brought face-to-face to enable the exchange of messages 
for assuring the previously mentioned logical access 
control . 

Generally speaking, in figure la, as in all the 
figures accompanying this description, in any general 

10 block diagram including various actors of the access 
control protocol according to the invention, any 
transaction, i.e. any exchange of messages between 
actors, is represented by an arrow extending from one of 
the actors to the other. 

15 If an operation is effected internally, by the 

actors, that operation is represented by a closed arrow 
indicating internal execution for the actor concerned. 

Finally, any transaction between two actors 
performed as an antecedent to implementation of the 

2 0 protocol according to the present invention is 
represented by a dashed line arrow. 

The access control protocol according to the present 
invention between an electronic key and an electronic 
lock is implemented under the control of a certification 

2 5 authority shown diagrammatically in figure la and 

responsible for general management of the set of 
electronic keys EK kj and the set of electronic locks B i 
accessible by means of at least one of the electronic 
keys . 

3 0 As shown in figure la, the certification authority 

can consist of a signature entity which is approved to 
choose and define a private key K s in the context of 
execution of the signature algorithms previously referred 
to. The private signature key K s is therefore chosen by 
3 5 the signature entity and this signature key is neither 
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communicated nor divulged to any other actor authorised 
to use the access control protocol according to the 
present invent ion . 

The certification authority further comprises a 
5 validation entity which can be separate from the 
signature entity but is related to it hierarchically. The 
signature entity communicates to the validation entity 
the public key K p associated with the private key K s and 
authentication data DAj which in fact consists of the 

10 signature using the private key K s held by the 
certification authority of a certain number of arguments, 
including in particular a second public key K' p , a time 
period value PHj associated with the second public key K' p 
and, for example, specific auxiliary data AUX. In the 

15 remainder of the description, the time period PHj is 
referred to as the validity time period. 

The second public key K' p is associated with a 
private key K' s . The initiative for choosing the second 
private key K' s and the second public key K' p can be 

20 accorded to the validation entity. 

To implement the access control protocol according 
to the present invention, each electronic key EK kj is 
subjected to a validation operation Vj consisting of 
loading and/or downloading the data parameters and 

25 messages held by the validation entity and needed to 
implement the access control protocol according to the 
present invention into the memory circuits of each of the 
aforementioned electronic keys EK kj . The operation Vj is 
therefore shown in chain-dotted line in figure la, 

3 0 because it is carried out before the first use of a 
particular electronic key, of course. During this 
operation, the authentication data DAj and the second 
private key K' s are loaded into the memory circuits of 
each electronic key EK kj and appropriate memory circuits 

3 5 for the data and the key are preferably provided in the 
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calculation unit Ca kJ the memory circuits including at 
least one protected memory area whose level of protection 
substantially corresponds to that of the protected memory 
areas of a smart card, for example, in order to store the 
5 second private key K' s in a secure manner. The 
authentication data DAj is specifically loaded before one 
or more uses of the electronic key EK kj . 

Thus each electronic key EK kj , which is unusable 
before any validation operation V j , is in fact replaced by 

10 an operational electronic key EK kj , the suffix j 
designating the reference to the authentication data DAj 
associated with the aforementioned electronic key, and in 
particular the validity time period of the second private 
key K' s and the second public key K' p associated with that 

15 time period. 

Also, the validation operation Vj consists of 
loading or downloading into each key EK kj the first public 
key K p corresponding to the first private key K s held by 
the certification authority. Specifically, the first 

2 0 public key K p is loaded once only into each electronic key 

EK kj before one or more successive uses, according to the 
key management policy defined by the certification 
authority for each application concerned. 

A step (figure la) of validating each electronic 
25 lock Bi consists of storing in memory and loading and/or 
downloading into the memory circuits of each calculation 
unit Cai the first and second public keys K p , K' p referred 
to previously. 

After the aforementioned validation operations Vj 

3 0 and V i# the access control protocol according to the 

present invention can be conducted between a validated 
electronic key EK kj and any electronic lock B t that has 
also been validated, as previously mentioned. 

Any attempt at access by an employee holding an 
35 electronic key EK kj entails that person bringing together 
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the respective transmission units T k and T ± of the 
electronic key and the electronic lock. 

This having been effected (by way of non-limiting 
example) between the key and the lock B t shown in figure 
5 la, the electronic key EK kj sends the electronic lock B i 
an identification request message A ki . The identification 
request message can be an identification number specific 
to the electronic key EK kj , for example. Following 
verification of the identification request message A ki , 

10 the electronic lock Bi can implement the access control 
protocol according to the present invention, as described 
hereinafter. The aforementioned verification operation 
can simply consist of verifying the value of the message 
communicated against reference values . 

15 Referring to the aforementioned figure, the access 

control protocol according to the present invention 
consists at least of transmission from the electronic 
lock Bi to the electronic key EK kj of a random variable 
message a ±j prompting authentication of the electronic 

2 0 key, after reception by the electronic lock Bi of the 

identification request message A ki sent to it by the 
accessing electronic key. 

Following reception by the electronic key of the 
random variable message prompting authentication, the 

25 key calculates a signature value C ± of the random variable 
message prompting authentication. In figure la, this step 
is denoted: 

Ci = S K , s (aij) . 

Given the convention indicated, the signature value of 

3 0 the random variable message prompting authentication is 

obviously obtained from the second private key K' s . It is 
clear in particular that the signature operation Ci in 
respect of the random variable message prompting 
authentication a Aj in fact establishes the right of access 
35 of the electronic key to the electronic lock for the true 
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value of that signature. It is further clear, in 
accordance with one particularly advantageous aspect of 
the protocol according to the present invention, that the 
right of access is modified for each transaction and each 
5 attempted access. 

Following this signature calculation step, the 
electronic key EK kj transmits to the electronic lock B ± 
the signature C ± and specific authentication data DA jf the 
data being specific to the validity time period PH^ of the 
10 second private key K' s and the second public key K' p 
associated with that validity time period, of course. The 
aforementioned transmission operation is denoted C it DA^ 
in figure la. 

Following reception by the electronic lock Bi of the 
15 signature value C ± and the specific authentication data 
DAj , the electronic lock B L verifies the authenticity of 
the signature value as a function of the specific 
authentication data, as shown by a closed arrow in figure 
la. In the same manner as previously, the aforementioned 
20 verification operation by the electronic lock B L is 
denoted v KPK , p ( (C^DA,) ,K P ,K' P ) = Yes/No. 

Given the convention previously adopted, it is clear that 
the aforementioned verification step is effected by 
applying the first and second public keys K p , K' p , taken 

25 as parameters. The application of the aforementioned keys 
can also restore verified values of the random variable 
message transmitted by the electronic lock B t to the 
electronic key and the specific authentication data DAj. 
The verification operation enables the electronic lock B t 

3 0 to decide to accept or refuse the requested access, 
according to whether they are authentic or not. Thus in 
the event of a positive result (Yes) of the 
aforementioned verification step, access is allowed 
whereas in the event of a negative result (No) access is 

3 5 refused. 
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A sequential description of the access control 
protocol according to the invention, as shown by the 
general block diagram in figure la, will now be given 
with reference to figure lb. 
5 In figure lb, step 1000 represents the step of 

transmission by the electronic key EK kj of the 
identification request message A ki . That step is followed 
by a step 1001 representing the transmission of the 
random variable message a i;i by the electronic lock Bi to 

10 the electronic key EK kj . The next step 1002 represents, 
based on the initial validation data V^, and successively, 
the calculation of the random variable message signature 
C z and transmission of the signature and the specific 
authentication data DAj . The preceding step 1002 is itself 

15 followed by the step 1003, effected by the electronic 
lock and based on the initial validation data V i# of 
verifying the authenticity of the signature value, 
according to the specific authentication data. 

By way of non- limiting example, and for simplicity, 

2 0 the aforementioned verification step can generate a 
verification variable V, itself corresponding to a logic 
value 0 or 1, i.e. to the Yes or No result mentioned 
previously. This being the case, step 1003 is then 
followed by a step 1004 which is carried out at the level 

2 5 of the electronic lock to verify the true value of the 

verification logic variable V or the Yes, No result. The 
true value of the latter leads to authorisation of access 
(step 10 06) whereas the absence of a true value leads to 
refusal of access (step 1005) . 

3 0 With regard to the nature of the specific 

authentication data DAj transmitted by the electronic key 
EK kj to the electronic lock B if as shown in figure la, the 
data consists of at least a public key certificate 
associated with the private signature key K' s . The public 
35 key certificate consists of a digital signal value of at 
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least one validity time period PHj relative to a right of 
access and the second public key K' p . 

Accordingly, given the convention previously 
indicated, the specific authentication data DAj 
5 corresponds to the signature S ra of various arguments such 
as the second public key K' p associated with the private 
signature key K' s , at least one time period PHj associated 
with the second public key K' p , the specific 
authentication data Da.j being obtained by application of 

10 the private signature key K s of the signature entity. In 
particular, it is clear for example that various time 
period values can be used, for example by employing a 
diversity program for choosing a specific time period 
from among several such periods. 

15 Note, however, that apart from the two second public 

key arguments K' p and PHj previously mentioned, another 
argument relating to the auxiliary data AUX can be 
subjected to the aforementioned signature operation S K . 
The auxiliary data can advantageously comprise, although 

20 this is not limiting on the invention, a serial number of 
the associated electronic key EK kj , that serial number 
representing a code of the suffix k indicative of the 
aforementioned electronic key. Other digital values or 
data can be transmitted by the electronic key, by way of 

25 the field relating to the auxiliary data, as described 
later. 

The transmission steps 1000, 1001 and the 
transmission substep of step 1002, as shown in figure lb, 
are performed by the transmission systems of the 
3 0 electronic key EK kj and the lock B if denoted by the 
reference T ± in the case of the lock. 

Finally, in one advantageous embodiment of the 
access control protocol according to the present 
invention, the step of transmitting the electronic key 
35 EK kj to the electronic lock B it shown in figure la and 
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referenced 1002 in figure lb, can consist of transmitting 
the second public key K' p obtained from the authentication 
data DAj , for example, in addition to the signature value 
Ci of the random variable message prompting authentication 
5 and the authentication data DAj . For this reason, the 
second public key K' p is shown in parentheses during the 
transmission step shown in figure la and referenced 1002 
in figure lb. In a case like this, it is naturally not 
necessary to store the second public key K' p in memory in 

10 the electronic lock during the operation V t to validate 
each electronic lock Bi. The first public key K p is then 
used during the operation of verifying the authentication 
data Vrpk.p (C i7 DAj) to attest to the authenticity of the 
second public key K' p transmitted. 

15 Generally speaking, the step of verification of the 

authenticity of the signature value by the electronic 
lock can be effected by means of a secret key when the 
signature calculation operation is based on that secret 
key or another secret key or a public key if the 

20 signature operation is based on a private key. 

A more detailed description of the verification step 
1003 effected by the electronic block B ± will now be given 
with reference to figure lc, in the specific but non- 
limiting situation of using a message re-establishing 

2 5 algorithm such as the RSA algorithm. 

As shown in the aforementioned figure, the 
verification step 1003 includes, in succession, a first 
verification step 1003a effected by the electronic lock 
B i7 this verification consisting of verifying the 

3 0 authenticity of the specific authentication data DAj 

against reference data comparison criteria stored 
previously in the memory circuits of the electronic key 
EK kj . It is clear in particular that applying the first 
public key K p available to the signature provides a 

35 verified value of the public key K' p associated with the 
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private signature key K' s , given the conventions referred 
to above, the verified public key value denoted VK' P , and 
a verified value of the time period PHj . The auxiliary 
data is also reproduced when auxiliary data is 
5 transmitted by means of the argument AUX in the signature 
Srs- 

Accordingly, and in a manner that is not limiting on 
the invention, the reference data stored in the memory 
circuits of the electronic key EK kj does not correspond 

10 only to the second public key K' p associated with the 
private signature key K' s , the time period value PHj and, 
where applicable, the serial number of the key, which can 
be stored in a protect read-only circuit. The verified 
values following the operation of verifying the reference 

15 values can then be compared by a simple equality 
comparison 1003a. In step 1003a there is merely shown the 
equality test on the verified value of the second public 
key VK'p against the stored value of the second public key 
K' p . 

20 In the event of a positive result of the 

aforementioned comparison in step 1003a, a second 
verification is performed by the electronic lock B i in 
step 1003b. As shown in the aforementioned figure, this 
second verification consists of verifying the signature 

25 value of the random variable message prompting 
authentication . 

Given the previous conventions, the second 
verification is denoted: 

v K .p(Ci) = v K . p (S K , s (a i:i ) ) . 

3 0 Clearly during this second verification step performed in 
step 1003b, a verified value Va i;j is obtained for the 
random variable message prompting authentication. The 
verified value of the random variable message prompting 
authentication can then be compared with the random 

35 variable message prompting authentication a £j/ which will 



WO 99/40546 



18 



PCT/FR99/00249 



have been stored beforehand in the memory circuits of the 
electronic block B i# of course. 

Thus it is clear that the second verification of the 
signature value is conditional on verification of the 
5 second public key K' p associated with the private 
signature key K' s and therefore, in the final analysis, on 
the aforementioned specific authentication data DAj . 

Generally speaking, the first verification of the 
authenticity of the specific authentication data, 

10 represented in step 1003a in figure lc, can consist of 
checking the validity time period PHj associated with the 
second public key K' p . By applying the first public key K p 
to the signature (K' p , PR, , AUX) , the verification step 
enables the value of the validity time period PH., 

15 associated with the second public key K' p to be obtained, 
alone, of course. 

As shown in figure Id, the random variable message 
prompting authentication a i:j mentioned above can depend on 
an identification value CBi of the electronic lock. It can 

20 correspond to a serial number or a coded arbitrary number 
allocated to the aforementioned electronic lock Bi. 

As also shown in figure Id, the random variable 
message a Aj can also depend on a continuously increasing 
variable count value CO which can correspond to a date 

25 value expressed as a year Y, month M, day D, hour H, 
minute m and second s . 

It is clear, for example, that the field CB L and the 
field CO relating to the identification value of the 
electronic lock and to the continuously increasing 

3 0 variable value can be coded on the same number of bits, 
for example 32 or more bits, in which case each field can 
be combined bit -by-bit on the basis of a logical 
composition law <8>, for example, to generate a component 
r ij of the random variable message prompting 

3 5 authentication, as shown in figure Id. The composition 
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law is an exclusive-OR operation, for example. The random 
variable message a ±j is then obtained by concatenating the 
component r i;j and the fields CBi and CO. This coding 
method guarantees that the random variable message 
5 obtained is not repetitive. 

Although the field relating to the serial number of 
the electronic lock CBi can be given by any protected 
memory element available in the memory circuits of the 
aforementioned electronic lock, the count value CO can be 
10 delivered either by an incremental counter or by an 
internal clock available in each electronic lock. Using 
an incremental counter has the advantage of simplifying 
the circuits required to implement each electronic lock. 

One particularly advantageous embodiment of the 
15 access control protocol according to the present 
invention between an electronic key and an electronic 
lock will now be described with reference to figure le. 

Figure le shows the electronic key EK kj as shown in 
figure la, for example. However, in addition to the 

2 0 calculation circuits Ca^ associated with the 

aforementioned electronic key, the key has an internal 
clock CK. The internal clock delivers a clock signal VCK 
to the corresponding calculation unit Ca k . 

This being so, and as shown in figure le, the 
25 protocol according to the present invention further 
consists of an auxiliary verification step 1007 for 
verifying authorisation of signature calculation for the 
random variable message prompting authentication. The 
auxiliary verification step is carried out by the 

3 0 electronic key EK kj following reception of the random 

variable message prompting authentication a i;j in step 
1001, as shown in figure la, but before the step of 
calculation and transmission of a signature value by the 
electronic key, as shown in step 1002 in the 
35 aforementioned figure. 
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The auxiliary verification step 1007 consists of 
using the first public key K p to check the public key 
certificate and the validity time period PHj associated 
with the aforementioned second public key K' p against the 
5 internal clock. 

Given the above conventions, and taking the second 
public key K' p as a parameter, the verification operation 
is denoted: 

~ v KP (S KS (K' p ,PH j ,AUX) ,K' P ) = Yes/No 

10 However, using a message re -establishment algorithm leads 
to an operation denoted: 

" V KP (S KS (K' p/ PH j ,AUX) ) 
which produces the verified value VK' P of the second 
public key which can be compared to the value of the 

15 second public key K' p , as previously mentioned. 

The aforementioned verification step then provides 
the verified value of the validity time period PHj. The 
value of the clock signal VCK is compared to the validity 
time period PHj to verify the validity of the second 

20 public key K' p with which the aforementioned validity time 
period is associated. For example, the value of the clock 
signal VCK for a given validity time period can be 
compared to the limits which define the aforementioned 
validity time period PHj . 

25 Step 1007a is followed by a step 1007b consisting of 

verifying the association of the second private signature 
key K' s with the second public key K' p whose validity was 
verified in the preceding step 1007a. The association 
verification operation carried out in step 1007b can 

30 consist of calculating a signature S K , S (X) obtained by 
applying the second private signature key K' s to a random 
variable X generated by the electronic key EK kj (see 
figure le) . A verification step applied to the 
verification signature value (S K , S {X) then constitutes the 

35 association verification step, the verification applying 
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to the signature calculated previously and being denoted: 
v K , P (S K . s (X) ) . 

This verification step produces a verified value VX of 
the random variable X in step 1007b. A test which 
compares the verified value VX of the random variable X 
with the previously stored random variable X determines 
the validity of the association of the second private 
signature key K' s with the second public key K' p , whose 
validity was verified in the preceding step 1007a. 

Verifying that the validity time period PH., is 
compatible with the clock signal VCK, that the verified 
value VK' P of the second public key K' p is identical to 
the value of the second public key K' p , and that the 
verified value of the random variable VX is identical to 
the value of the random variable X constitutes a test 
which, if the result is positive (step 1007c, see figure 
le) , enables the protocol according to the present 
invention to continue (step 1007e) , which is followed by 
the signature of the random variable message prompting 
authentication a i;j (step 1002) . In the event of a negative 
result, the aforementioned protocol is interrupted (step 
1007d) . 

Performing the verification operations 1007a and 
1007b using the message re-establishment signature 
verification algorithms, such as the RSA algorithm, 
previously referred to can preferably be carried out when 
the second public key K' p is transmitted, in the 
subsequent step of transmitting the electronic key EK kj to 
the electronic lock B i . In any other case, in the absence 
of such transmission, the verification operation can be 
reduced to an operation of the following type, taking the 
second public key K' p as parameter: 

- v KP (S KS (K' p ,PH j ,AUX) ,K' P ) = Yes/No 

What is more, the protocol according to the present 
invention can be adapted to limit all attack outside of 
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the validity time period PHj associated with the second 
public key K' p . 

To this end, as shown in figure If, during the step 
of verification by the electronic lock B t of the 
authenticity of the signature value (step 1003 in figure 
la and more particularly steps 1003a and 1003b in figure 
lc) , following the first step 1003a of verifying the 
authenticity of the specific authentication data DA j7 
consisting of checking the validity time period 
associated with the second public key K' p , but prior to 
the second verification step 1003b shown in figure lc, a 
plurality of tests (1003a!, figure If) can be carried out 
to limit all attack outside the aforementioned validity 
time period. In figure If, the plurality of tests is 
represented, in a manner that is not limiting on the 
invention, as a comparison, within the aforementioned 
validity time period, of the count value CO delivered by 
the electronic lock or, where applicable, a time signal 
delivered by a clock when the electronic lock has a 
clock. To be more specific, this test can consist of 
comparing the count value CO to limits defining the 
aforementioned validity time period PHj , for example. If 
the count variable CO or the corresponding time signal is 
not inside the validity time period, the electronic lock 
B ± refuses any attempt at access. Other tests limiting 
attack outside the validity time period can be 
considered. 

With regard to tests for limiting all attack outside 
a particular time period PHj , a preferred non-limiting 
embodiment will be described hereinafter in the situation 
where the electronic key has a real-time clock. At the 
time of any attempt at access, if the verification step 
such as the step 1007a has been effected validly at the 
level of the electronic key EK kj , in particular the test 
for the compatibility of the time variable delivered by 
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the clock signal VCK with the time period PHj, the current 
time variable VCK delivered by the real time clock is 
stored in the electronic key EK kj . 

During the step of transmitting the electronic key 
5 EK kj to the electronic lock B it shown in Fig. la and 
referenced 1002 in Fig. lb, the time variable VCK is 
transmitted in addition to the signature value C x and the 
authentication data DAj , and the second public key K' p 
where applicable. For this reason the time variable is 
10 shown in brackets. 

The subsequent verification steps can then be 
performed in the electronic lock B ± . 

As shown in figure If, for a count value CO 
delivered by a counter in the electronic lock B if a count 
15 value at the time of the attempt at access and a 
reference value VC ref corresponding to a count value at 
the time of a previous attempt at access, for example, 
are stored in the lock. 

For a time period PHj reduced to a time interval 

2 0 [VB lf VH 2 ] , it is verified that the time variable VCK 

stored in memory and transmitted is after VH-l and before 
VH 2 and also that VCK is after VC ref . If any of the 
foregoing verifications is not satisfied, access to the 
lock Bi is barred. It is accepted otherwise. 
25 Of course, and in a manner that is not limiting on 

the invention, the time period PK, can comprise a 
plurality of non- contiguous time intervals. In this case, 
the time period PHj can be expressed in the form of a 
union of time intervals, in which U represents the UNION 

3 0 operator: 

PHj = [VH lf VH 2 ] U [VH 3 , VHJ U ... U [VH^, VHJ 
The limits which delimit each time interval can 
advantageously each be expressed as a date in the form 
day, month, year and a time in the form hour, minute, 
3 5 second. 
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To confer a very high level of security on the 
access control protocol according to the present 
invention, even more strict measures can be applied, in 
particular at the level of the electronic key EK kj , to 
5 limit further risk of fraudulent use of the electronic 
key, in particular if it is lost or stolen. To this end, 
as shown in figure lg, the step 1002 shown in figure la 
of calculating a signature value of the random variable 
message prompting authentication can be preceded by a 

10 signature authorisation auxiliary verification step, 
repeating some parts of the verification step 1007 shown 
in figure le, but increasing the security level of the 
verification by introducing a step of self -invalidation 
of the electronic key EK kj under conditions explained 

15 below. 

The electronic key EK kj includes a clock CK 
delivering a clock signal VCK required for implementing 
the auxiliary verification step shown in figure lg, in 
the same manner as in the case of implementing the 

20 auxiliary verification step of figure le. 

This being so, as shown in figure lg, the auxiliary 
verification step 1007 comprises a step of checking that 
a time variable, the clock signal VCK delivered by the 
real time clock CK, is inside the validity time period 

25 PHj. Clearly, to this end, the step 1007a shown in figure 
lg corresponds substantially to the step 1007a shown in 
figure le. 

Likewise the step 1007b shown in both of the 
aforementioned figures. 
3 0 In the case of figure lg, the step 1007c of figure 

le is in fact subdivided into two sub- steps 1007c! and 
1007c 2 , for example. 

The step 1007c! consists of testing that the time 
variable VCK delivered by the real-time clock is inside 
35 the validity time period PK, . If the result of the test in 
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step 1007C-L is positive, step 1007c 2 compares the verified 
value VK'p of the second public key K' p to the value of 
the second public key K' p and the verified value VX of the 
random variable X to the aforementioned random variable 
5 X, for example. 

If the result of the test in step 1007c! is 
negative, for example, in other words if the time 
variable VCK is not inside the time period PHj, the 
protocol according to the present invention consists of 

10 executing a step 1007c 3 which invalidates the electronic 
key EK kj . The invalidation step 1007c 3 then leads, of 
course, to a step 1007d of interrupting the access 
control protocol according to the present invention, on 
the grounds that the electronic key cannot be used. 

15 Various techniques can be used to invalidate the 

electronic key EK kj , such as short-circuiting the supply 
voltage of the electronic circuits, i.e. the calculation 
circuit Ca k of the electronic key, and dissipating all of 
the electrical energy powering those circuits, or where 

20 applicable setting one or more switch-off variables for 
inhibiting the operation of the electronic key concerned. 

On the other hand, if the result of the test in step 
1007c 2 shown in figure lg is positive, the protocol 
continues (step 1007e, i.e. step 1002 of calculating the 

25 signature of the random variable prompting authentication 
a iS as shown in figure la) . 

Variants of the access control protocol according to 
the present invention are naturally feasible, in 
particular to assure an optimum level of security, both 

3 0 at the level of each electronic key EK kj and at the level 
of each electronic lock Bi. 

Figure 2a shows a variant of the access control 
protocol according to the present invention which is 
particularly noteworthy in that no second public key K' p 

3 5 is stored in memory in each electronic lock B ± . 
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To this end, firstly, the operation of validating 
each electronic lock B £ consists of a validation operation 
V ± in which only the first public key K p is stored in the 
memories of the calculation units of each electronic lock 
5 B ± . 

Secondly, the operation Vj of validating each 
electronic key EK kj consists of transmitting only the 
specific authentication data DAj and the second private 
signature key K' s . The second private signature key K' s is 

10 transmitted and stored in the memories of the calculation 
circuits Ca k of the electronic key EK kj . 

During attempted access, in accordance with the 
protocol according to the present invention, the steps of 
transmitting the access request identification message A ki 

15 and the random variable message prompting authentication 
a it from the electronic lock B A to the electronic key EK kj 
are unchanged. 

On the other hand, the step 1002 previously 
described of calculating the signature value of the 

20 random variable message prompting authentication a^ is 
modified in the following manner. The authentication data 
is verified first, this verification being denoted 
v KP (S KS (K' p ,PH j ,AUX) ) . 

With the preceding convention, the second public key 

25 K' p is restored, which enables the signature value 
c i = S K-s( a ij) °f tne random variable message to be 
calculated on the basis of the available second private 
signature key K' s . Because the signature value is 
available and stored in memory, the operation of 

3 0 transmitting the signature Ci of the random variable 
message prompting authentication, the specific 
authentication data DAj and the second public key K' p to 
the lock B ± can be carried out . 

The protocol according to the present invention is 

35 then resumed at step 1003 of figure la for example by the 
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lock B ± . 

All the verification steps, followed by the steps of 
calculating the signature values C if followed by the 
aforementioned transmission, are represented in steps 
5 1002a, 1002b, 1002c of figure 2b, prior to execution of 
the step 10 03 previously mentioned. 

There follows a description with reference to 
Figures 3a and 3b of the architecture of an electronic 
key and an electronic lock for implementing the access 
10 control protocol according to the present invention. 

Figure 3a shows an electronic key EK kj which has a 
cryptographic calculation module Ca k , a message or data 
transmission module E k and a transmit/receive wire antenna 
T k , as previously described. The cryptographic calculation 
15 module comprises, in addition to a central processor unit 
CPU, a protected access memory area 1 for storing at 
least one signature value of a validity time period 
allocated to the electronic key, that signature value 
corresponding of course to the specific authentication 

2 0 data DA., previously mentioned. The protected access memory 

area 1 is also used to store a signature verification 
key, the first public key K p , i.e. the aforementioned 
signature, consisting of the specific authentication 
data. It also stores a signature key, the second 
25 signature key K' s mentioned previously. This embodiment 
corresponds to the embodiment of the protocol according 
to the present invention shown in figure la. 

The cryptographic calculation model Ca k also 
includes a read-only memory (ROM) 2 enabling the central 

3 0 processor unit CPU to call programs for calculating the 

signature value of a random variable message, i.e. the 
message a ±j previously mentioned, and for signature 
verification on the basis of the signature keys, 
respectively signature verification keys, i.e. the keys 
35 K' s and K p previously mentioned. The read-only memory 2 of 
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the key stores programs for calculating signature values 
of the random variable message and verifying signatures 
on the basis of the signature keys K' s and signature 
verification keys K p , K' p , as in the flowcharts shown in 
5 figures le and lg previously described. 

In addition to the above, and depending on the 
embodiment of the protocol according to the present 
invention used, the cryptographic calculation module Ca k 
includes a clock 3, for example, delivering the clock 
10 signal VCK to the central processor unit CPU and, of 
course, a scratchpad random access memory (RAM) 4. 

Finally, the system has a serial port PS for 
implementing the validation step Vj previously mentioned. 

With regard to the electronic lock B ± shown in 
15 figure 3b, it has, of course, a cryptographic calculation 
module Ca ± and a message transmission/reception module E ± 
both associated with an antenna T ± which is shown as a 
wire antenna in figure 3b, without this being limiting on 
the invention. 

2 0 The cryptographic calculation module Ca ± includes a 

protected access memory area in addition to a central 
processor unit CPU. The protected access memory area is 
used to store at least one public signature verification 
key, i.e. the first public key K p and the second public 

25 key K'p in the embodiment of the protocol according to the 
present invention shown in figure la, or respectively to 
store a single public key, i.e. the first public key K' p 
in the embodiment of the protocol according to the 
present invention shown in figures 2a and 2b. 

30 What is more, a read-only memory 6 connected to the 

central processor unit enables the central processor unit 
to call signature verification programs based on the 
public key or keys K p , K' p previously mentioned. The read- 
only memory 6 stores signature verification programs, for 

35 example, whose flowchart corresponds to that shown in 
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figures Id, lc and If previously described. Similarly, a 
counter 7 or if necessary a real-time clock and a serial 
port PS are provided. 

An access control protocol between an electronic key 
5 and an electronic lock has therefore been described, the 
electronic lock applying access control in a particularly 
powerful manner in that the electronic key, which has 
cryptographic potential, is able to authenticate its 
attempt to access each of the accessed electronic locks. 

10 A protocol of the above kind would appear to be of 

major benefit because the operation of signature by the 
key of the random variable message prompting 
authentication constitutes a variable right of access, 
changing on each transaction, so that playback is 

15 prevented. 

Finally, the protocol according to the present 
invention can be used to optimise the overall security 
level in that a single signature verification public key 
can be stored in each electronic lock. It constitutes a 

20 secure method of access control. The optimisation is 
adapted to suit the application. 

The protocol according to the present invention and 
the electronic key and the electronic lock for 
implementing the protocol would appear to be particularly 

25 suitable for management by approved employees of 
strongboxes or mailboxes, for example. 
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CLAIMS 

1. An access control protocol between an 
electronic key (EK kj ) and an electronic lock (Bj) 
performing access control, in which protocol, following 
presentation of said electronic key (EK kj ) to said 
electronic lock (B^ , a random variable message (a i;j ) 
prompting authentication of the electronic key (EK kj ) is 
transmitted from said electronic lock to said electronic 
key, characterised in that, on receiving said random 
variable message (a i:) ) prompting authentication, the 
protocol consists of at least, in succession: 

- calculating and transmitting from said electronic 
key (EK kj ) to said electronic lock (B t ) a digital 
signature value of said random variable message prompting 
authentication based on a private signature key (K' s ) and 
specific authentication data) , said specific 
authentication data transmitted by said electronic key 

(EK k;j ) to said electronic lock (B ± ) consisting of at least 
one public key (K' p ) certificate associated with said 
private signature key (K' s ) , said public key certificate 
consisting of a digital signature value of at least one 
validity time period (PHj) relating to a right of access 
and of said public key (K' p ), said signature value being 
calculated from another private signature key (Kg) 
associated with another public key (K p ) , and, after 
reception by said electronic lock of said signature value 

(Ci) and said specific authentication data (Da.j) : 

verification (1003) ( (Ci , Daj ) ) by said 

electronic lock (BJ of the authenticity of said signature 
value (C ± ) as a function of said specific authentication 
data (Da 3 ) and, in response to a positive or negative 
result of said verification: 

- acceptance or respectively refusal of said access. 

2. A protocol according to claim 1, characterised 
in that said step of verification of said signature value 
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by said electronic lock includes, in succession: 

- verification (1003a) by said electronic lock (Bj 
of the authenticity of said specific authentication data 
based on comparison with reference data and, in the event 
of a positive result of said comparison: 

- verification (1003b) by said electronic lock (Bj 
of said signature value (CJ as a function of said 
specific authentication data (Daj) . 

3. A protocol according to claims 1 and 2, 
characterised in that said step of verification by said 
electronic lock of the authenticity of said specific 
authentication data (Da^ consists of checking said 
validity time period (Pf^) associated with said public key 
(K' p ) . 

4. A protocol according to claim 2, characterised 
in that validity time period (PHj) includes a plurality of 
non- contiguous time intervals. 

5 . A protocol according to claim 2 or claim 3 , 
characterised in that each validity time period (PHj) 
consists of at least one time interval having two limits 
each expressed as a date in terms of day, month, year and 
a time in terms of hour, minute, second. 

6. A protocol according to any preceding claim, 
characterised in that said random variable message (a i;j ) 
prompting authentication is a function of an 
identification value (C^ of said electronic lock (Bj and 
a continuously increasing variable value (CO) . 

7. A protocol according to any of claims 1 to 6, 
characterised in that, after reception of said random 
variable message (a i:j ) prompting authentication by said 
electronic key (EK kj ) but before the step of calculation 
and transmission of a signature value (C^ by said 
electronic key, said electronic key (EK kj ) having an 
internal clock, said protocol further consists of an 
auxiliary verification step (1007) for authorising 
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calculation of the signature of said random variable 
message prompting authentication, said auxiliary- 
verification step (1007) consisting of: 

- using the other public key (K p ) associated with 
said other private signature key (K s ) to verify (1007a) 
said public key (K' p ) certificate and said validity time 
period (PHj) associated with said public key against said 
internal clock, to verify the validity of said public 
key) , 

- verifying (1007b) the association of said private 
signature key (K' s ) and said public key (K' p ), whose 
validity has been verified in the preceding step, and, on 
the basis of positive and negative result criteria 
(1007c) for the preceding two verification steps: 

- continuing (1007e) or respectively interrupting 
(1007d) said access control protocol. 

8. A protocol according to any of claims 2 to 7, 
characterised in that it further comprises a plurality of 
tests limiting all attack outside said validity time 
period, which tests are performed during said step of 
verification by said electronic lock (BJ of the 
authenticity of said signature value (C^ , after said step 
(1003a) of verification by said electronic lock (B ± ) of 
the authenticity of the specific authentication data (Daj) 
consisting of checking said validity time period 
associated with said public key (K' p ) but before said step 
(1003b) of verification by said electronic lock (Bi) of 
the authenticity of said signature value, said protocol 
further comprising a plurality of tests (lOOSaJ limiting 
any attack outside said validity time period (PHj) . 

9. A protocol according to any of claims 1 to 8, 
characterised in that it comprises, before said step of 
calculation and transmission from said electronic key 
(EK kj ) to said electronic lock (Bj of a signature value 
(Ci) of said random variable message (a i:j ) prompting 
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authentication and specific authentication data (DAj) , 
said electronic key including a real-time clock: 

- a step (1007c!) of testing if a time variable 
delivered by said real-time clock is inside said validity 
time period (PHj) and, in the event of a negative result 
of said test: 

- a step (1007c 3 ) of invalidation of said electronic 
key interrupting said access control and leading to 
refusal of said access by said electronic lock. 

10 . An electronic key comprising cryptographic 
calculation means (C ak ) and message or data transmission 
means (T k ) for implementing a protocol according to any of 
claims 1 to 9 for controlling access to an electronic 
lock (Bi) by said electronic key (EK kj ) , characterised in 
that, in addition to a central processor unit (CPU), said 
cryptographic calculation means (C ak ) include at least: 

- a protected access memory area (1) for storing at 
least one private signature key (K' s ) and specific 
authentication data {Daj) , said specific authentication 
data (Daj) consisting of at least one public key (K' p ) 
certiificate consisting of a digital signature value of 
at least one validity time period (PELj) relating to a 
right of access and said public key (K' p ), and 

- a read-only memory (4) used to call programs for 
calculating the digital signature value of a random 
variable message (a ±j ) delivered by said electronic lock 
(Bi) using said private signature key (K' s ) . 

11 . An electronic lock comprising cryptographic 
calculation means (C ai ) and message or data transmission 
means (T x ) for implementing a protocol according to any of 
claims 1 to 9 for controlling access to said electronic 
lock by an electronic key (EK kj ) , characterised in that, 
in addition to a central processor unit (CPU) , said 
calculation means (C ai ) include at least: 

- a protected access memory area (5) for storing at 



34 



AMENDED SHEET 



least one public signature verification key (K p ) , and 

- a read-only memory (6) used to call signature 
verification programs based on said at least one public 
key. 
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